COMPLIANCE BRIEFING: BLOG

The clock is ticking down towards 25 May 2018, the day when the new European Union data protection framework kicks in. The General Data Protection Regulation (GDPR) reflects a more stringent approach to safeguarding personal data and the privacy of individuals, and is an important step in creating Europe’s Single Digital Market.​The GDPR demands much greater responsibility and transparency from any organisation that handles personal data. Breaches will be severely punished, with fines of up to an eye watering four per cent of global turnover and EUR20 million. What’s more, the supervising authority will publicise the details of any breach, adding reputational damage to the financial penalty for the offending organisation.Generally speaking, large organisations – especially those in regulated industries such as financial services – are well equipped to meet the challenges of GDPR compliance. But there are still plenty of others who have yet to get themselves into shape and show they are at least on track in time for May 2018. What’s more, as these enterprises embark on digital transformation programmes, the technologies they embrace (the cloud, big data, mobile working and the Internet of Things) may hinder their ability to comply with GDPR unless the risks are properly understood and managed.

GDPR compliance in the cloudOnce upon a time, you knew exactly where your data and your applications were: safe behind a locked door in the IT department. Now, in the era of cloud computing, corporate applications and data are in multiple locations, often replicated and backed up somewhere else. The picture is very complex. Hybrid infrastructure models mean that some data is still under the control of the IT team, but other data is on third party facilities. Companies must choose their cloud service carefully, taking care to understand where/how they store and manage customer data. Popular cloud products such as Microsoft’s Office 365 are already GDPR compliant. Every organisation should now specify GDPR compliance in any IT tender process and service contract – because even if the breach comes from one of your cloud service providers, you are still liable.

Another measure is to use software tools such as cloud access security brokers (CASB), which police the perimeter between the enterprise and the cloud. CASBs let you see which cloud applications are being used, what data is transferred to and from them, and with whom that data has been shared. The beauty of a CASB is that it gives you an overview of what is happening where, and what weaknesses there might be. Armed with that intelligence, you can then begin to understand the risks associated with each cloud application, and define appropriate policies for their use. For organisations unsure where to begin, a good first step is to subscribe to CASB service for a month and monitor activity across your cloud ecosystem. At the end of that period, you’ll have a good picture of what’s going on.

The cloud is behind the rapid growth of shadow IT, when individual departments or lines of business buy digital services for themselves, outside the jurisdiction of the IT department. Shadow IT opens up the possibility of hidden data flows that could unwittingly compromise security. This is where an Application Privacy Interface (API) is valuable: sitting between your data and cloud services it monitors what goes where. So if an employee attempts to store credit card details or medical records on Dropbox, for example, the API will act – notify the user, encrypt or quarantine the data, depending on the rules you set.

More data, more devices, more risksThe big data headache is only going to get bigger. You must be able to show you have the customers’ consent to store their data, and be able to notify them within 72 hours if a breach is likely to result in a high risk to them. Individuals will also have the ‘right to be forgotten’ and you’ll have to erase their data (which could be replicated in several databases) and let them know you have done so. Another issue around personal data is that while individual records may not identify the actual person, their identity becomes apparent when those records are brought together, which could happen internally or via an external service. Then there are several national differences around sovereignty – where your data resides geographically – to take into account. There are no easy answers to the big data question and many companies will need to review and rebuild their data management processes.

Mobile working and employees using portable devices to access corporate data create new opportunities for accidental or malicious data breaches. Organisations need to secure both the device and the manner in which it connects to the network. Security starts with the choice of device (if corporate-owned), with some operating systems more secure than others. If the employee needs to work with sensitive information on a mobile device, then containerisation can safeguard the data. When it comes to access, you need to ensure that the most vulnerable traffic travels on a secure private connection. Or, if it must go across the internet (and more and more data will go across public networks as organisations seek to balance cost and bandwidth issues), then personal data must be encrypted.

The Internet of Things will dramatically increase the opportunities for data leakage. From a GDPR perspective, much of the data IoT devices generate will be personal (the location of an individual, health indicators, financial history). But with as many as 50 billion IoT devices in action by 2020, producing data round the clock, there’s going to be gazillions of data transactions to police. How will we sort the wheat from the chaff? If even 10 per cent of data events require further investigation, it is still unmanageable. We will need to automate as much as possible, using machine learning and artificial intelligence and sophisticated algorithms that will identify patterns and spot anomalies with great accuracy.

Cybersecurity enables the digital businessComplying with GDPR is a daunting task for many organisations as they begin the task of transforming their relationships with customers and employees via digital technologies. However, never think that good cybersecurity is an obstacle to building a successful digital business. On the contrary – it is a principle enabler: through implementing the right data protection measures, you’ll not only show people they can trust you with their data, but you’ll also gain a deeper understanding of how your business works which you can use to craft an ever better digital experience for all your customers.